Email Wiretapping- Don't be a victim
By Neville French
Posted Wednesday, November 24, 2004
On the face of it, does email wiretapping sound scary? Yes? Yes it is scary and you should now how it's done and how to combat it.
A little while ago the known (but not known with a load presence) organisation called "The US based Privacy Foundation" became aware of a as un-yet widely known security hole in the latest incarnations of email clients produced by Microsoft and Netscape.
The security loophole essentially allows the sender of an email message to see what has been written when the message is forwarded with comments to other recipients. This procedure has been nickname "email wiretapping". As you can imagine this leads to surreptitiously monitoring of written messages attached and/or forwarded messages. Some not so pleasant uses involve:
1) In a sensitive business negotiation conducted via normal email, one party can learn inside information from the other parties as the proposal is discussed through the recipient company's internal email system.
2) A seeded email message could capture thousands of email addresses as the forwarded message is sent around the world.
Seeded with what? JavaScript is the answer and it can easily hide in any HTML email. Of course the JavaScript capability has to be enabled within the email client. Typical email readers with JavaScript functionality include Outlook, Outlook Express, and Netscape 6 Mail. Earlier versions of the Netscape mail readers are not affected because they do not fully support all the intricacies of JavaScript. Eudora and the AOL 6.0 series of email readers are not affected because JavaScript is turned off by default (but are vulnerable if turned on of course). Hotmail and other web-based email systems automatically strip out JavaScript programs from incoming email messages and therefore are not vulnerable.
The loophole is made possible because JavaScript is able to read text in an email message. If a message is forwarded to someone else, the hidden JavaScript code can read any text that has been added to the message when it is forwarded. This JavaScript code executes when the forwarded message is read. The JavaScript code then silently sends off this text using a hidden form to a web server belonging to the original sender of the message. The original sender can then retrieve the text at their convenience and read it.
A "wiretapped" email message is difficult to detect. An individual can avoid the email wiretap by turning off JavaScript in the email reader. However, if the individual forwards the message to someone who has JavaScript turned on, that recipient's forwarded messages can still be" wiretapped". Additionally, copying the original message into a new email, rather than forwarding it, may not defeat the problem.
What can users can do?
It is possible to partially eliminate the email wiretapping problem by turning off JavaScript in HTML email messages. You can visit the home webpage for your appropriate browser package if you are not sure on how to do this.
Switching off the JavaScript is only a partial solution because a "wiretapped" message will still work if it is replied to, or forwarded, to someone whose email program is vulnerable to the malicious JavaScript. The best policy is some form of group or corporate agreement on how to tackle this, especial where commercially sensitive material is involved.
About the Author
Neville French
E-Inform is centred around email marketing, producing it's own software products and resources + bespoke solutions for a diverse range of clients. (http://www.1einform.com)
